Project Glasswing turns frontier cyber capability into an operations problem
Anthropic's expansion of Project Glasswing shows that powerful cyber models shift the bottleneck from finding vulnerabilities to triage, disclosure, patching, and access control.
Summary
Anthropic’s expansion of Project Glasswing is worth a close read for anyone building AI security products. The headline is that more organizations are getting access to advanced cyber capabilities through Claude Mythos Preview. The story underneath is that vulnerability discovery is becoming the easy part of the workflow, while triage, verification, disclosure, patching, deployment, and access governance are where the work actually piles up.
Anthropic says its first cohort of partners used Mythos Preview to scan codebases and surfaced more than 10,000 high- or critical-severity flaws. It is now expanding to roughly 150 additional organizations across more than 15 countries, leaning toward critical infrastructure providers and toward vendors and nonprofit maintainers whose code is relied on by governments and many other organizations. That scale makes the operational problem hard to miss: finding many flaws only helps if defenders can process them faster than attackers can exploit the same class of capability.
For builders, Project Glasswing should reset the framing of AI security. The product to build is not “model finds bug.” It is “organization safely turns model findings into fixed, deployed software.”
What happened
Anthropic announced the expansion of Project Glasswing on June 2, 2026. The program began with roughly 50 partners using Claude Mythos Preview to scan their own codebases for vulnerabilities. Anthropic now says it is extending the partnership to approximately 150 new organizations, each of which must clear a set of security requirements before gaining access. That gate is part of the program’s design, not a formality bolted on afterward.
The new cohort spans more than 15 countries and includes sectors such as power, water, healthcare, communications, and hardware. Many participants are vendors or nonprofits that maintain codebases other organizations depend on indirectly. Anthropic argues that for many of these partners, a successful attack could affect more than 100 million people. In other words, the security posture of these codebases is itself a kind of public infrastructure, not just one company’s internal concern.
The announcement also makes a broader claim: cheap, fast AI models with strong cyber capabilities are near, and institutions need operating norms that reflect that before it arrives. Anthropic says Mythos-level general access will require safeguards that are not yet robust enough, because cyber capability is inherently dual-use. The same skill that helps a defender close a hole helps an attacker walk through it.
HN discussion landed on exactly those pressure points: how access is granted, how expensive it is, where the safety line sits, and whether restricted programs are driven by risk, cost, infrastructure limits, or all of them tangled together.
Why it matters
Project Glasswing matters because it puts the next cyber AI bottleneck out in the open. Once a model can produce plausible vulnerabilities in bulk, the security team inherits a queueing problem. Which findings are real? Which are actually exploitable? Who owns the affected code? How should the issue be disclosed? How fast can a patch be written, reviewed, shipped, and monitored over time? None of those questions is solved by training a stronger model.
The defensive advantage depends on shortening that entire loop. If discovery speeds up but patching does not, the usual result is not more safety but a deeper backlog and more pressure. A model that emits a thousand findings does not help unless it also ranks, reproduces, explains, and fixes them. Otherwise it has simply handed the same workload to a human triage team, now arriving faster than before.
This is also the root of why general access is hard. Cyber models are dual-use by construction: the capability that finds a dangerous bug for a maintainer hands an attacker the same opening. Anthropic’s restricted access is a bet that defenders can hold a timing advantage while safeguards mature. Whether the bet pays off has little to do with how the launch is narrated and everything to do with execution: partner selection, monitoring, disclosure norms, and patch throughput.
Technical takeaway
The first technical point is that cyber agents need to ship evidence packages, not vulnerability claims. A useful finding carries the affected code, exploit preconditions, reproduction steps, the reasoning behind its severity, the false-positive risk, a suggested patch, tests, and disclosure guidance. Without that package, the model has not saved anyone work; it has handed triage a nicer-looking ticket. The honest test of a security agent is whether a finding lets the person who receives it reproduce and confirm the issue in ten minutes, not how many findings it can emit in a day.
Patch generation has to be evaluated separately from bug discovery, and this is the seam where products quietly cut corners. A model can be excellent at smelling out suspicious code and poor at writing a safe fix. Security patches often have to preserve compatibility, avoid regressions, and respect the realities of a deployment environment. A patch that looks clean can open a fresh hole or take production down. Reporting discovery and remediation as a single score hides the most expensive part of the loop.
Then there is access control. High-capability cyber models need user verification, scoped permissions, logging, and task boundaries. But those controls have to be precise enough that they do not also wall off legitimate defensive work. Clamp down too hard and defenders drift toward less governed tools, pushing risk outward; open up too far and the misuse surface grows. The hard part is not choosing strict over loose; it is telling intents apart accurately.
Builder impact
If you are building a security agent, put the weight on the workflow that begins after the finding. Design around triage queues, reproduction artifacts, patch branches, maintainer communication, and audit logs. The measure of the product is whether it makes a security team faster, not whether it can emit a few more alerts.
Ranking and deduplication belong near the top of the feature list. A large codebase throws off many related findings, and a useful agent clusters the duplicates, traces the shared root cause, estimates exploitability, and separates “this smells off” from “this is actionable.” Conflate those two and the team slowly loses patience inside the noise.
For open-source work, disclosure UX carries real weight. Maintainers are already overloaded, so a report has to be concise, reproducible, respectful of embargo norms, and easy to validate. A verbose, vague, or simply wrong AI-generated report destroys trust faster than it builds it, and an open-source maintainer’s trust, once spent, is hard to win back.
For enterprise teams, the unglamorous work is integration: issue trackers, code review, CI, SBOMs, asset inventories, and deployment pipelines. The win is not the moment the scan completes. The win is the moment a patch is fixed and deployed, and the distance between those two moments is exactly the engineering most products skip.
Research impact
Security AI evaluation needs full-loop benchmarks. A benchmark that rewards only discovery misses the defensive outcome that matters and steers the whole field with a badly skewed metric. The tasks worth measuring follow a vulnerability all the way through: find, verify, prioritize, patch, test, and communicate. Where the chain breaks, the score should say so plainly.
Dual-use evaluation needs sharper categories too. Not every cyber request deserves the same treatment. Defensive code review, exploit reproduction inside a private test harness, scanning a public target, malware development, and patch validation carry very different risk. Research should help systems tell those intents apart rather than waving requests through or rejecting them by keyword, which fails in both directions.
Project Glasswing also surfaces institutional research questions with no ready answers. By what rule should scarce access be allocated? How do we measure, objectively, whether defenders actually gained a timing advantage? And how do we avoid opening a widening capability gap between well-resourced organizations and the people maintaining critical but chronically underfunded open-source software? These are unavoidable, even if they are uncomfortable.
Community signal
HN discussion around Project Glasswing settled on the hard issues: whether Mythos Preview will become generally available, why access is restricted, how expensive it is, and whether infrastructure limits are part of the picture. That skepticism is useful, because it keeps the conversation from collapsing into the lazy poles of “release everything” or “lock everything down.”
The more telling signal is that technical users already grasp the tradeoff. They want defenders to have better tools and they also understand that unrestricted cyber capability rewrites the threat model. The unresolved question is the same one the program is built around: how to scale access without losing control.
What to ignore
Ignore the claim that AI vulnerability discovery automatically makes software safer. Safety improves once a vulnerability is verified, patched, deployed, and monitored. Discovered, it is still only the first queue, with every downstream step still waiting.
Ignore narratives that frame restricted access as purely safety or purely business. In practice, safety, cost, infrastructure limits, and partner governance are entangled, and picking any one as the whole explanation reads the situation wrong.
Finally, ignore any security agent that cannot explain a finding in terms a maintainer can act on. This is the spot a slick demo most easily disguises: a tool that surfaces ten thousand issues looks formidable, but if each one costs a human half a day to confirm, it can manufacture more work than it removes. The frontier is not more alarms. It is turning model capability into finished defensive work.